package com.bbs.interceptor;

import java.io.IOException;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import org.apache.struts2.ServletActionContext;

import com.bbs.comm.SessionContext;
import com.bbs.comm.SysConstant;
import com.bbs.dao.BaseDao;
import com.bbs.model.User;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;

public class ReplyPrivilegeInterceptor extends BaseDao implements Interceptor {

	public ReplyPrivilegeInterceptor() throws IOException {
		super();
	}
	private static final long serialVersionUID = 1L;

	@Override
	public void init() {
	}

	@Override
	public String intercept(ActionInvocation invocation) throws Exception {
		User user = null;
		HttpServletRequest request = ServletActionContext.getRequest();
		HttpSession session = request.getSession();
		SessionContext sc = ((SessionContext) session
				.getAttribute(SysConstant.SESSION_CONTEXT));
		if (null != sc) {// 在项目重新启动的时候可能为空，只要登录就再一次为SessionContext赋值
			user = sc.getUser();
			String requstUrl = request.getRequestURI();
			logger.info(user.getUser_name() + "请求的URl：" + requstUrl);

		}
		return "permissionDenied";
	}

	/**
	 * 在除了 验证权限：游客可以浏览，不能做任何改变数据库的操作 超级管理员：SA可以执行任何操作 只要登录就可以回复，发帖
	 * //肯定是有漏洞的，只要了解到怎么验证，肯定是可以绕过的
	 * 
	 * @param url
	 * @param user
	 * @param request
	 * @return
	 */
	public Boolean authenticate(String url, User user,
			HttpServletRequest request) {
		// 游客或超级管理员
		if (url.contains("add") && null == user.getUser_password()) {
			return false;
		}
		return true;
	}

	@Override
	public void destroy() {
		// TODO Auto-generated method stub

	}
}